Managing certificates

Certificate Manager data is visible through the Certificate Manager dashboard and reports in Tanium Reporting. Use Tanium Reporting to:

  • Find expired or expiring certificates
  • Identify weak cryptographic algorithms and key lengths
  • View self-signed and unauthorized CA certificates
  • Send certificate data using Tanium Connect

View the Certificate Manager dashboard in Tanium Reporting

The Certificate Manager dashboard in Tanium Reporting includes three sections. The Overview section shows a high-level view of the number of certificates across your endpoints. The Listening SSL/TLS Services Certificate and Cipher Inventory section shows certificates that are currently being served, while the All Certificates section shows all certificates that are being referenced.

  1. From the Main menu, go to Data > Dashboard and select the Certificate Manager label.
  2. To view the dashboard, click Certificate Manager.

You can also go to Modules > Certificate Manager > Overview to view the dashboard in Tanium Reporting.

Click on the name of a chart panel to open the report that supplies the data to that chart, or click any data point on a chart to view the data in the report. For more information about dashboards, see Tanium Reporting User Guide: Working with dashboards.

View expired certificates

  1. From the Main menu, go to Data > Reports and select the Certificate Manager label.
  2. To view the list of expired certificates, click Certificate Manager - Expired Certificates.

You can also click the Expired Certificates panel in the All Certificates section of the Certificate Manager dashboard.

View expiring certificates

View listening service certificates that are expiring in 30 days

  1. From the Main menu, go to Modules > Certificate Manager > Overview.
  2. In the Listening SSL/TLS Services Certificate and Cipher Inventory section, click Listening Service Certificates Expiring in 30 Days to view the list of expiring certificates.

To send a recurring email with the list of listening service certificates that are expiring in 30 days, Email a report of expiring certificates with Tanium Connect using the Certificate Manager - Listening Service Certificates Expiring within 30 Days report.

View all certificates that are expiring in 30 days

  1. From the Main menu, go to Data > Reports and select the Certificate Manager label.
  2. To view the list of expiring certificates, click Certificate Manager - Certificates Expiring within 30 Days.

You can also click the Expiring within 30 Days panel in the All Certificates section of the Certificate Manager dashboard.

To send a recurring email with the list of all certificates that are expiring in 30 days, Email a report of expiring certificates with Tanium Connect using the Certificate Manager - Certificates Expiring within 30 Days report.

Email a report of expiring certificates with Tanium Connect

Before you begin

Ensure that you have Tanium Connect 5.9.65 or later installed.

Create a connection

  1. From the Main menu, go to Modules > Connect > Connections and then click Create Connection.
  2. In the General Information section, provide a name and optional description for the connection.
  3. In the Configuration section, configure the source and destination.
    1. For Source, select Tanium Reporting (Source Data).
    2. For Report, select one of the following reports:
      • Certificate Manager - Listening Service Certificates Expiring within 30 Days
      • Certificate Manager - Certificates Expiring within 30 Days
    3. For Destination, select Email and then provide the required information. For more information about configuring email destinations, see Tanium Connect User Guide: Configuring email destinations.
  4. In the Configure Output section, select the Format.
  5. In the Schedule section, select Enable Schedule to configure schedule preferences, and then click Save.

    Schedule this connection to run at least weekly.

For more information, see Tanium Reporting User Guide: Export reports through Tanium Connect.

View short keys

View listening service certificates that use short keys

  1. From the Main menu, go to Modules > Certificate Manager > Overview.
  2. In the Listening SSL/TLS Services Certificate and Cipher Inventory section, click Listening Service Short Keys to view the certificates that use a Public Key Bit Size less than 256.

View all certificates that use short keys

  1. From the Main menu, go to Data > Reports and select the Certificate Manager label.
  2. Click Certificate Manager - Short Keys to view the certificates that use a Public Key Bit Size less than 256.

You can also click the Total Short Keys panel in the All Certificates section of the Certificate Manager dashboard.

View weak signatures

View listening service certificates that use weak signatures

  1. From the Main menu, go to Modules > Certificate Manager > Overview.
  2. In the Listening SSL/TLS Services Certificate and Cipher Inventory section, click Listening Service Signature Hash Algorithms to view the certificates that use the sha1 or md5 Signature Hash Algorithm.

View all certificates that use weak signatures

  1. From the Main menu, go to Data > Reports and select the Certificate Manager label.
  2. Click Certificate Manager - Weak Signatures to view the certificates that use the sha1 or md5 Signature Hash Algorithm.

You can also click the Weak Signature Hash Algorithms panel in the All Certificates section of the Certificate Manager dashboard.

View wildcard certificates

View listening service certificates that use a wildcard subject

  1. From the Main menu, go to Modules > Certificate Manager > Overview.
  2. In the Listening SSL/TLS Services Certificate and Cipher Inventory section, click Listening Service with Wildcard Certificates to view the certificates that use a wildcard subject.

View all certificates that use a wildcard subject

  1. From the Main menu, go to Data > Reports and select the Certificate Manager label.
  2. Click Certificate Manager - Wildcard Certificates to view the certificates that use a wildcard subject.

You can also click the Wildcard Certificates panel in the All Certificates section of the Certificate Manager dashboard.

View self-signed certificates

  1. From the Main menu, go to Modules > Certificate Manager > Overview.
  2. In the Listening Service Certificate Authorized CA Status panel of the Listening SSL/TLS Services Certificate and Cipher Inventory section, click Self Signed.

View unauthorized certificates

  1. From the Main menu, go to Modules > Certificate Manager > Overview.
  2. In the Listening Service Certificate Authorized CA Status panel of the Listening SSL/TLS Services Certificate and Cipher Inventory section, click Unauthorized.

After you review the list of unauthorized certificates, you can Configure authorized certificate authorities or Add certificate exceptions.

Prepare for post-quantum cryptography

Certificates that use certain encryption algorithms are more likely to be compromised by future advances in quantum computer capabilities. Certificate Manager does not specifically scan for post-quantum cryptographic algorithms, but the Certificate Manager - Listening Service Cipher Suite Strength report includes a Cipher Suite column that shows the algorithm and key length. This information is used by Certificate Manager to provide the Cipher Suite Strength ratings. The strength ratings are Vulnerable, Acceptable, or Strong.

For more information, see The White House: Memo on Migrating to Post-Quantum Cryptography.

View listening service certificates by cipher suite strength

  1. From the Main menu, go to Modules > Certificate Manager > Overview.
  2. In the Listening SSL/TLS Services Certificate and Cipher Inventory section, click Cipher Inventory by Cipher Suite Strength to view the certificates by cipher suite strength.

View all certificates by cipher suite strength

  1. From the Main menu, go to Data > Reports and select the Certificate Manager label.
  2. Click Certificate Manager - Cipher Inventory.
  3. Click the Cipher Suite Strength column to view the certificates by cipher suite strength.